Nothing Chats has been pulled from the Google Play Store because of the serious security and privacy concerns. The brand launched the messaging app, which allowed Phone (2) users to send iMessage, in partnership with the Sunbird messaging platform. While the company assured users that the Nothing Chats app is end-to-end encrypted, it turns out that’s not the case.
According to an X user Wukko, not only is Nothing Chat not end-to-end encrypted but also sends all media attachments including images in attachments visible in plain text. The news has been further corroborated by Dylan Roussel of 9to5Google and Texts.com. Let’s take a look at what the Nothing Chats privacy issue is and how it affects users.
Nothing Chats Found to Have Serious Security and Privacy Issues
Nothing launched the Chats app last week and the CEO Carl Pei even released a video taking a dig at Tim Cook (seen above). The company announced that it’s bringing iMessage support for its Phone (2) users through the Nothing Chats app. This is something Beeper and Sunbird has been doing for a while. Moreover, Wukko says that Nothing Chats is nothing but a skinned Sunbird app. It works by asking users to sign in using their Apple credentials, which is then routed through a Mac server farm. What makes Nothing Chats and Sunbird stand apart is the promise of end-to-end encryption throughout the whole process as mentioned on both Nothing and Sunbird websites.
nothing chats app (skinned sunbird) is an absolute privacy nightmare that sends/stores ALL data unencrypted on firebase
and for whatever reason it also sends ALL messages and attachments to sentry (again, in plain text) pic.twitter.com/CxBS7TZwCl
— wukko (@uwukko) November 18, 2023
However, recent investigations have shown that these claims are simply untrue. According to various reports, the user data on Sunbird’s server can be accessed in plain text. The X user Wukko revealed that all media attachments including pictures, documents, and more are sent to Sentry with links to these attachments in plain text format. Additionally, all data sent and received through Nothing Chats is routed through Firebase, which is also unencrypted.
Thread time!
Summary:
– Sunbird has access to every message sent and received through the app on your device.– All of the documents (images, videos, audios, pdfs, vCards…) sent through Nothing Chat AND Sunbird are public.
– Nothing Chats is not end-to-end encrypted.
— Dylan Roussel (@evowizz) November 18, 2023
9to5Google’s Dylan Roussel further confirmed that Sunird has access to every message and data sent or received through Nothing Chats. What’s more concerning is that all media including images, videos, audio, PDFs, vCards, etc. on Nothing Chats is public. In what he calls the biggest privacy nightmare, Roussel says that Sunbird is using an error monitoring tool called Sentry to log messages, pretending them to be errors. Roussel could also access all media sent by other users on Sunbird and he mentions that there are over 6,37,780 media stored by Sunbird, which are public.
We’ve removed the Nothing Chats beta from the Play Store and will be delaying the launch until further notice to work with Sunbird to fix several bugs.
We apologise for the delay and will do right by our users.
— Nothing (@nothing) November 18, 2023
Rousel goes on to elaborate that vCards containing personal information of users (he found over 2300 users’ personal information were accessible) and files being saved with original file names are the biggest privacy concerns. He then went on to say that while Sunbird misled Nothing saying messages are end-to-end encrypted, Nothing should have done its diligence before slapping its brand name on the project. According to the expert, the brand should not just delay the launch of the Nothing Chats app but should cancel the whole project in the best interest of its users.
